Can I configure this PIX 515E without failover? Also, why the ip assignment problem?

Posted on 2006-04-21
Last Modified: 2013-11-16
We have acquired a

"PIX 515E FO-AA BUN-sw Act/ac Tfo License Vac+ 6fe"

firewall and I am having trouble configuring it as a primary. Is it even possible to configure it as the primary (and ultimately the only) firewall?

The difficulties I'm having seem to revolve around my inability to assign the inside interface an IP address. Using the CLI, I go into configure mode for the interface and give it "ip address inside" and the command completes with no errors reported yet when I "show interface", it reports the inside interface as having no IP address assigned.

BTW, if I use the CLI to "configure factory-default" then "show interface", it does assign the inside interface an IP and I'm able to use ASDM successfully which is very strange to me. Despite using "write memory" to save that working configuration to the flash, rebooting the firewall reloads a non functioning config giving me the same problem I described above.

Even running the "setup" command and assigning the IP address that way fails to actually assign it. The ONLY way I can get it to work is through loading the factory-defaults.

Your help is GREATLY appreciated!
Question by:madabdul82
    LVL 4

    Expert Comment

    We tried setting up a pix with a failover license as a stand alone. We got the ip address to take but without its partner in crime it will not ARP.

    Fishnet Security

    LVL 7

    Expert Comment

    A PIX with a failover license will not work by itself - the failover license is the cheapest one to get, because it is only used for the 2nd PIX in a failover pair - the primary uses an unrestricted license (most costly) and the secondary can run on an FO license.

    You will need to but at least a restricted license to run your PIX.

    LVL 9

    Accepted Solution

    Although not recommended, a PIX with a FO or FO-AA license can function as a standalone unit but will reboot at least once every 24 hours until you returned it to its proper function. I had customers who ran their firewall as a standalone using FO licenses but they eventually bought the proper license. Just don't forget to run the command "failover active" (even not using a failover configuration). This command is necessary to get the firewall running as standalone.

    When you do the command "configure factory-default", the PIX does the following:

    The default factory configuration for the PIX 515/515E security appliance configures the following:

    1) E1 (inside) interface will have the IP address and mask of

    2) DHCP server will be enabled in the range of to So any PC connecting to the internal network should get an IP address from the PIX.

    3) HTTP server ( will likewise be enabled for ASDM and should be accessible from the

    So by factory default config, you should already have an IP address assigned on the E1 of the PIX which is Unless you want to change that, then thats the time you should go to the interface config mode.

    If you want to change the IP address of the PIX, here's what I would advice you to do.

    1) First do the command "failover active"
    2) Then go to interface configuration mode and make the neccessary changes:


    interface ethernet1
     ip address
     nameif inside
     no shut

    3) Save it to memory using the command: "copy running-config startup-config"


    Author Comment

    Thank you for the concise answer, stressedout2004! Basically its fooling the PIX into thinking it's counterpart is malfunctioning...but the joke is really on me.

    I will be acquiring the correct licensing for this PIX to run as a primary and I very much appreciate both you and the administrator cautioning me on that.

    Thanks again!
    LVL 51

    Expert Comment

    by:Keith Alabaster
    I'm pleased you took the comment the way it was meant and you have the information you need.


    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    Suggested Solutions

    Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now